The present application relates to computer networks, and more particularly to network architectures with firewalls.
Network connectivity offers numerous advantages. However, security may be a major concern when connecting a computer to a network such as the Internet. There are significant security risks associated with computer networks, and these risks may not be obvious to either new or existing users. One particular risk is unauthorized access and activity, including theft and destruction of data and intellectual property. Intruder activity can be difficult to discover and to remedy. Many organizations have lost productive time and money in dealing with intruder activity, and the reputations of some organizations have suffered as a result of negative publicity created by intruder activity at their sites.
Installation of a firewall is one technique that has proven effective in improving the security of a private network or site. A firewall is a system of related programs, usually installed on a network gateway server, that protects the data and resources of a private network from users outside the network. A firewall may also be installed on one or more lower-level gateways so as to provide protection for a specific set or subset of a private network. Firewalls are often installed on specially designated computers that are separate from the private network so that no incoming request can access the resources of the private network directly.
The main purpose of a firewall is to protect the applications, services, data, and other resources located on a private network by securing access to those resources. A firewall may also be used to control which outside resources the users of a private network may access.
Firewalls can be implemented using various conventional screening methods. One common technique that is used is to allow requests to proceed only if they come from acceptable, previously-identified domain names or Internet Protocol (IP) addresses. Firewalls can also be implemented at the application level rather than the network level. An application level firewall examines requests at a higher level than the network level. For example, an application level firewall may examine application requests such as Hypertext Transfer Protocol (HTTP) requests, Structured Query Language (SQL) requests, or Simple Object Access Protocol (SOAP) requests, rather than the network addresses of the requests. An application level firewall can be configured, for example, to screen out all requests other than those sent to known applications or programs running on a server. The server's port mechanism can be used to implement such a firewall. Firewalls may also allow remote access to private networks through the use of secure logon procedures or authentication credentials (e.g., digital certificates, one-time passwords, or security tokens).
Firewalls can be used to implement and enforce an organization's network access policy by forcing all network connections to pass through a firewall gateway, where the connections can be examined and evaluated. Firewalls can also control or restrict access to or from selected systems, block certain services, and provide additional security functionality, such as the replacement of simple password mechanisms with advanced authentication measures. Firewalls may also provide other advantages by concentrating security, protecting vulnerable services, enhancing privacy, maintaining logs and statistics on network use, and enforcing a network misuse policy.
Without a firewall, an intranet or private network may be exposed to probes and attacks from external sources. In an environment without a firewall, network security may rely on the security of individual host computers, which must cooperate in a way to achieve a uniformly high level of security. This can become a significant issue as the size of the private network increases: the larger the network, the less manageable it is to maintain the same level of security for all the hosts on the network. As mistakes and lapses in security arise, break-ins may occur. Such break-ins may not be the result of complex attacks, but may be caused by simple errors in configuration and inadequate password protection.